Threat Research

The Bear Necessities: A Look at the Drivers, Dynamics, and Applications of the Pro-Russia Influence Ecosystem

GoogleCloudIntel
The Bear Necessities: A Look at the Drivers, Dynamics, and Applications of the Pro-Russia Influence Ecosystem
The article explains how Russia’s pro-Russia influence ecosystem has matured into a resilient global asset that now blends overt media, covert operations, hacktivism, and cyber-enabled information operations. It highlights growing use of generative AI, persistent campaigns such as Secondary Infektion, Operation Overload, Doppelganger, and NAEBC, and the likelihood that influence activity will increasingly target the EU, NATO, elections, and other global flashpoints beyond Ukraine. #SecondaryInfektion #OperationOverload #Doppelganger #NAEBC #NoName05716 #COLDRIVER #RT #RaHDit #XakNetTeam #UNC5101

Keypoints

  • Russia’s pro-Russia influence ecosystem has evolved from wartime support into a durable strategic capability with global ambitions.
  • The ecosystem now combines overt media, covert influence operations, hacktivism, cyber espionage, and proxy actors in an interconnected structure.
  • Ukraine remains a major priority, but targeting is shifting back toward pre-war objectives aimed at the EU, NATO, the United States, and other global targets.
  • Generative AI is increasingly used for planning, research, and content creation across influence operations.
  • Long-running campaigns such as Secondary Infektion, Operation Overload, Doppelganger, and NAEBC show persistence, adaptation, and reuse of infrastructure.
  • Cyber-enabled IO tactics include hack-and-leak operations, data theft for narrative shaping, wiper malware, and website defacements.
  • Russian state media, intelligence services, contractors, and hacktivist groups are described as mutually reinforcing parts of a self-sustaining influence ecosystem.

MITRE Techniques

  • [T1587.001 ] Develop Capabilities: Malware – Pro-Russia actors are described as using and developing destructive tools, including wiper malware used alongside other influence activity (‘the deployment of wiper malware alongside website defacements’).
  • [T1587.001 ] Develop Capabilities: Tooling – Third-party organizations and contractors were used to build custom tooling and support campaign execution (‘Outsourcing is used for developing custom tooling’).
  • [T1591.002 ] Gather Victim Org Information: Business Relationships – Actors used influence operations and intelligence collection to understand or exploit relationships between organizations and audiences (‘information operations … to support their operations’).
  • [T1589.002 ] Gather Victim Identity Information: Email Address – Closed channels such as email were used to disseminate pro-Russia narratives (‘closed communication channels, such as emails’).
  • [T1027 ] Obfuscated Files or Information – Stolen data was sometimes manipulated before publication in hack-and-leak activity (‘exfiltrated data, sometimes manipulated, is then publicized’).
  • [T1650 ] Acquire Infrastructure: Domains – Actors registered domains to support influence operations and deceptive activity (‘UNC5101 register domains’).
  • [T1583.001 ] Acquire Infrastructure: Domains – Campaigns used mirror domains and cycling domain infrastructure to evade exposure and sanctions (‘cycling of domain infrastructure and/or use of mirror domains’).
  • [T1036 ] Masquerading – Fake or inauthentic media brands were used to pose as legitimate news outlets (‘masquerade as independent news sources’).
  • [T1566.002 ] Phishing: Spearphishing Link – Influence and hybrid activity included outreach through emails and closed channels that can support deceptive lures (‘disseminate various types of pro-Russia narratives’).
  • [T1213 ] Data from Information Repositories – Stolen information from espionage targets was used in public leak operations (‘data stolen from espionage targets in a high profile hack-and-leak operation’).
  • [T1565.001 ] Data Manipulation: Stored Data Manipulation – The article notes manipulated exfiltrated data being publicized to shape narratives (‘exfiltrated data, sometimes manipulated’).
  • [T1498 ] Network Denial of Service – NoName057(16) used DDoS attacks against Ukraine, allies, and other targets (‘targeting Ukraine and its partners and allies with DDoS attacks’).
  • [T1190 ] Exploit Public-Facing Application – Unauthorized access to a Ukrainian government online portal was publicly claimed as part of influence activity (‘gained unauthorized access to a Ukrainian government online portal’).

Indicators of Compromise

  • [Threat Actor / Campaign Names ] referenced actors and campaigns – Secondary Infektion, Operation Overload, Doppelganger, NAEBC, UNC4057 (COLDRIVER), NoName057(16), PalachPro, UNC5101, XakNet Team, JokerDNR, Solntsepek, RaHDit
  • [Organizations ] entities discussed in influence operations – Russia Today (RT), Google Threat Intelligence Group (GTIG), Russian Presidential Administration, GRU, NATO, EU
  • [File / Content Types ] malicious or deceptive content described – wiper malware, website defacements, hack-and-leak materials, false surrender messages
  • [Domains / Infrastructure ] infrastructure behavior mentioned – mirror domains, registered domains, and other domain infrastructure used in campaigns
  • [Platforms / Channels ] delivery and dissemination channels – Telegram channels, emails, SMS text messages, messenger apps
  • [Geographic / Target References ] targeting context – Ukraine government online portal, French National Assembly, Germany critical infrastructure and transportation targets, Milano Cortina Winter Olympics

Read more: https://cloud.google.com/blog/topics/threat-intelligence/pro-russia-influence-ecosystem/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint